Possible Malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by amateur09, Apr 28, 2025.

  1. amateur09

    amateur09 Private E-2

    My sisters computer that a local bank branch convinced her that she has malware on it. No other symptoms to me like redirects or high CPU usage. Attached are the logs I could run. Roguekiller wouldn't open as a program but instead when I clicked on the icon to open a whole bunch of lines of info flashed on the screen within a couple seconds and stopped. I couldn't find any log from it. I also had trouble running MGtools so I hope everything is there that you need. Thanks in advance
     

    Attached Files:

    amateur09, Apr 28, 2025
    #1
  2. Oh My!

    Oh My! Malware Expert Staff Member

    Greetings and welcome to the Major Geeks Malware Forum.

    Please do this

    ===================================================

    Farbar Recovery Scan Tool (FRST)

    --------------------
    • Download FRST64 and save the file on your Desktop
    • If your computer language is other than English right click on the FRST64 icon and rename it to FRST64english
    • Right click on the icon and select Run as administrator
    • Note: If you receive any warning about the download it is a false positive and you can ignore it. Click on More info to get the Run anyway option
    • Click Yes to the disclaimer
    • Click Scan and allow the program to run
    • When completed, FRST.txt and Addition.txt reports will be saved on the Desktop
    • Please attach the reports to your reply
    ===================================================

    Things I would like to see in your next reply.
    • Attached reports
     
    Oh My!, Apr 28, 2025
    #2
  3. amateur09

    amateur09 Private E-2

    Requested files attached.
     

    Attached Files:

    amateur09, Apr 28, 2025
    #3
  4. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for the reports.

    ScreenConnect Client, a remote support program, is installed on the computer. It was installed on April 23, 2025. Often times the presence of this program is indicative of a scam whereby a user is tricked into thinking their computer is infected. They then allow someone remote access to remove the "malicious software." Could this be the case with your sister?
     
    Oh My!, Apr 28, 2025
    #4
  5. amateur09

    amateur09 Private E-2

    The timing would make sense. I think she got an email on the 25th saying she should complete her account setup for inter bank transfers (which she doesn't do anyway). Fortunately she didn't proceed with answering the email. When she went to the bank with a printout of the email they were convinced her computer was compromised. I did see a similar program in her downloads file that I deleted from the downloads. She is understandably concerned whether something else needs to be done.
     
    amateur09, Apr 28, 2025
    #5
  6. amateur09

    amateur09 Private E-2

    I also just thought of this. I have her computer at my house and while it was on earlier Windows Defender identified something called GameHacker (I believe). Not sure if that's related or not or would be helpful.
     
    amateur09, Apr 28, 2025
    #6
  7. Oh My!

    Oh My! Malware Expert Staff Member

    Thank you for the information.

    What Windows Defender detected as GameHacker was actually MGtools.exe. That is why you could not run it.

    Let's do this.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
CreateRestorePoint:
CloseProcesses:
C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..tion_25b0fbb6ef7eb094_0018.0003_a8cca8cbb9318336
SearchScopes: HKU\S-1-5-21-4116640397-3324897568-117220919-1001 -> DefaultScope {0168F13E-2B63-45AD-B870-798EBE538E24} URL =
SearchScopes: HKU\S-1-5-21-4116640397-3324897568-117220919-1001 -> {0168F13E-2B63-45AD-B870-798EBE538E24} URL =
2025-04-26 10:16 - 2025-04-26 10:16 - 000000000 _____ C:\WINDOWS\invcol.tmp 
CustomCLSID: HKU\S-1-5-21-4116640397-3324897568-117220919-1001_Classes\CLSID\{233525e0-5434-46ef-b464-fd7e45e2e145}\localserver32 -> "C:\Program Files (x86)\Intel\Driver and Support Assistant\DSATray.exe" -ToastActivated => No File 
FirewallRules: [{1339D4F3-4378-4406-93E4-54FDBAB493CD}] => (Allow) C:\Program Files\WindowsApps\ScreenovateTechnologies.DellMobileConnect_2.0.8168.0_x64__0vhbc3ng4wbp0\app\DellMobileConnectClient.exe => No File 
FirewallRules: [{6AE87DD3-B605-405A-BC64-B7E178960D92}] => (Allow) C:\Program Files\WindowsApps\ScreenovateTechnologies.DellMobileConnect_2.0.8168.0_x64__0vhbc3ng4wbp0\app\DellMobileConnectClient.exe => No File 
S4 ScreenConnect Client (552057f7-402c-4540-af80-5fad72cb3b0e); C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..tion_25b0fbb6ef7eb094_0018.0003_a8cca8cbb9318336\ScreenConnect.ClientService.exe [95512 2025-04-23] (Connectwise, LLC -> ) <==== ATTENTION 
S4 ScreenConnect Client (b4570723-2582-487e-855f-f8dab47093e2); C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..tion_25b0fbb6ef7eb094_0018.0003_a8cca8cbb9318336\ScreenConnect.ClientService.exe [95512 2025-04-23] (Connectwise, LLC -> ) <==== ATTENTION 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ScreenConnect Client (552057f7-402c-4540-af80-5fad72cb3b0e) => ""="Service" 
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ScreenConnect Client (b4570723-2582-487e-855f-f8dab47093e2) => ""="Service" 
cmd: sfc /scannow
cmd: DISM /Online /Cleanup-Image /CheckHealth
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    ===================================================

    Farbar Recovery Scan Tool SearchAll

    --------------------
    • Launch FRST
    • Copy and paste the following in the Search: box
    Code:
    SearchAll: Connectwise;ScreenConnect;"support.Client"
    • Click the Search Files button
    • When completed click OK and a Search.txt document will open on your desktop
    • Attach the report to your reply
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
    • Attached Search.txt file
     
    Oh My!, Apr 28, 2025
    #7
  8. amateur09

    amateur09 Private E-2

    Fix result of Farbar Recovery Scan Tool (x64) Version: 27-04-2025
    Ran by tcaun (29-04-2025 11:27:39) Run:1
    Running from C:\Users\tcaun\Desktop
    Loaded Profiles: tcaun
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    CreateRestorePoint:
    CloseProcesses:
    C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..tion_25b0fbb6ef7eb094_0018.0003_a8cca8cbb9318336
    SearchScopes: HKU\S-1-5-21-4116640397-3324897568-117220919-1001 -> DefaultScope {0168F13E-2B63-45AD-B870-798EBE538E24} URL =
    SearchScopes: HKU\S-1-5-21-4116640397-3324897568-117220919-1001 -> {0168F13E-2B63-45AD-B870-798EBE538E24} URL =
    2025-04-26 10:16 - 2025-04-26 10:16 - 000000000 _____ C:\WINDOWS\invcol.tmp
    CustomCLSID: HKU\S-1-5-21-4116640397-3324897568-117220919-1001_Classes\CLSID\{233525e0-5434-46ef-b464-fd7e45e2e145}\localserver32 -> "C:\Program Files (x86)\Intel\Driver and Support Assistant\DSATray.exe" -ToastActivated => No File
    FirewallRules: [{1339D4F3-4378-4406-93E4-54FDBAB493CD}] => (Allow) C:\Program Files\WindowsApps\ScreenovateTechnologies.DellMobileConnect_2.0.8168.0_x64__0vhbc3ng4wbp0\app\DellMobileConnectClient.exe => No File
    FirewallRules: [{6AE87DD3-B605-405A-BC64-B7E178960D92}] => (Allow) C:\Program Files\WindowsApps\ScreenovateTechnologies.DellMobileConnect_2.0.8168.0_x64__0vhbc3ng4wbp0\app\DellMobileConnectClient.exe => No File
    S4 ScreenConnect Client (552057f7-402c-4540-af80-5fad72cb3b0e); C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..tion_25b0fbb6ef7eb094_0018.0003_a8cca8cbb9318336\ScreenConnect.ClientService.exe [95512 2025-04-23] (Connectwise, LLC -> ) <==== ATTENTION
    S4 ScreenConnect Client (b4570723-2582-487e-855f-f8dab47093e2); C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..tion_25b0fbb6ef7eb094_0018.0003_a8cca8cbb9318336\ScreenConnect.ClientService.exe [95512 2025-04-23] (Connectwise, LLC -> ) <==== ATTENTION
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ScreenConnect Client (552057f7-402c-4540-af80-5fad72cb3b0e) => ""="Service"
    HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ScreenConnect Client (b4570723-2582-487e-855f-f8dab47093e2) => ""="Service"
    cmd: sfc /scannow
    cmd: DISM /Online /Cleanup-Image /CheckHealth
    End::
    *****************

    Restore point was successfully created.
    Processes closed successfully.

    "C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..tion_25b0fbb6ef7eb094_0018.0003_a8cca8cbb9318336" Folder move:

    C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..tion_25b0fbb6ef7eb094_0018.0003_a8cca8cbb9318336 => moved successfully
    "HKU\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope" => removed successfully
    HKU\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0168F13E-2B63-45AD-B870-798EBE538E24} => removed successfully
    C:\WINDOWS\invcol.tmp => moved successfully
    HKU\S-1-5-21-4116640397-3324897568-117220919-1001_Classes\CLSID\{233525e0-5434-46ef-b464-fd7e45e2e145} => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{1339D4F3-4378-4406-93E4-54FDBAB493CD}" => removed successfully
    "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{6AE87DD3-B605-405A-BC64-B7E178960D92}" => removed successfully
    HKLM\System\CurrentControlSet\Services\ScreenConnect Client (552057f7-402c-4540-af80-5fad72cb3b0e) => removed successfully
    ScreenConnect Client (552057f7-402c-4540-af80-5fad72cb3b0e) => service removed successfully
    HKLM\System\CurrentControlSet\Services\ScreenConnect Client (b4570723-2582-487e-855f-f8dab47093e2) => removed successfully
    ScreenConnect Client (b4570723-2582-487e-855f-f8dab47093e2) => service removed successfully
    HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ScreenConnect Client (552057f7-402c-4540-af80-5fad72cb3b0e) => removed successfully
    HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ScreenConnect Client (b4570723-2582-487e-855f-f8dab47093e2) => removed successfully

    ========= sfc /scannow =========



    Beginning system scan. This process will take some time.



    Beginning verification phase of system scan.


    Verification 0% complete.
    Verification 1% complete.
    Verification 1% complete.
    Verification 2% complete.
    Verification 3% complete.
    Verification 3% complete.
    Verification 4% complete.
    Verification 4% complete.
    Verification 5% complete.
    Verification 6% complete.
    Verification 6% complete.
    Verification 7% complete.
    Verification 7% complete.
    Verification 8% complete.
    Verification 9% complete.
    Verification 9% complete.
    Verification 10% complete.
    Verification 10% complete.
    Verification 11% complete.
    Verification 12% complete.
    Verification 12% complete.
    Verification 13% complete.
    Verification 13% complete.
    Verification 14% complete.
    Verification 15% complete.
    Verification 15% complete.
    Verification 16% complete.
    Verification 16% complete.
    Verification 17% complete.
    Verification 18% complete.
    Verification 18% complete.
    Verification 19% complete.
    Verification 19% complete.
    Verification 20% complete.
    Verification 21% complete.
    Verification 21% complete.
    Verification 22% complete.
    Verification 22% complete.
    Verification 23% complete.
    Verification 24% complete.
    Verification 24% complete.
    Verification 25% complete.
    Verification 25% complete.
    Verification 26% complete.
    Verification 27% complete.
    Verification 27% complete.
    Verification 28% complete.
    Verification 28% complete.
    Verification 29% complete.
    Verification 30% complete.
    Verification 30% complete.
    Verification 31% complete.
    Verification 31% complete.
    Verification 32% complete.
    Verification 33% complete.
    Verification 33% complete.
    Verification 34% complete.
    Verification 34% complete.
    Verification 35% complete.
    Verification 36% complete.
    Verification 36% complete.
    Verification 37% complete.
    Verification 37% complete.
    Verification 38% complete.
    Verification 39% complete.
    Verification 39% complete.
    Verification 40% complete.
    Verification 40% complete.
    Verification 41% complete.
    Verification 42% complete.
    Verification 42% complete.
    Verification 43% complete.
    Verification 43% complete.
    Verification 44% complete.
    Verification 45% complete.
    Verification 45% complete.
    Verification 46% complete.
    Verification 46% complete.
    Verification 47% complete.
    Verification 48% complete.
    Verification 48% complete.
    Verification 49% complete.
    Verification 49% complete.
    Verification 50% complete.
    Verification 51% complete.
    Verification 51% complete.
    Verification 52% complete.
    Verification 52% complete.
    Verification 53% complete.
    Verification 54% complete.
    Verification 54% complete.
    Verification 55% complete.
    Verification 55% complete.
    Verification 56% complete.
    Verification 57% complete.
    Verification 57% complete.
    Verification 58% complete.
    Verification 58% complete.
    Verification 59% complete.
    Verification 60% complete.
    Verification 60% complete.
    Verification 61% complete.
    Verification 62% complete.
    Verification 62% complete.
    Verification 63% complete.
    Verification 63% complete.
    Verification 64% complete.
    Verification 65% complete.
    Verification 65% complete.
    Verification 66% complete.
    Verification 66% complete.
    Verification 67% complete.
    Verification 68% complete.
    Verification 68% complete.
    Verification 69% complete.
    Verification 69% complete.
    Verification 70% complete.
    Verification 71% complete.
    Verification 71% complete.
    Verification 72% complete.
    Verification 72% complete.
    Verification 73% complete.
    Verification 74% complete.
    Verification 74% complete.
    Verification 75% complete.
    Verification 75% complete.
    Verification 76% complete.
    Verification 77% complete.
    Verification 77% complete.
    Verification 78% complete.
    Verification 78% complete.
    Verification 79% complete.
    Verification 80% complete.
    Verification 80% complete.
    Verification 81% complete.
    Verification 81% complete.
    Verification 82% complete.
    Verification 83% complete.
    Verification 83% complete.
    Verification 84% complete.
    Verification 84% complete.
    Verification 85% complete.
    Verification 86% complete.
    Verification 86% complete.
    Verification 87% complete.
    Verification 87% complete.
    Verification 88% complete.
    Verification 89% complete.
    Verification 89% complete.
    Verification 90% complete.
    Verification 90% complete.
    Verification 91% complete.
    Verification 92% complete.
    Verification 92% complete.
    Verification 93% complete.
    Verification 93% complete.
    Verification 94% complete.
    Verification 95% complete.
    Verification 95% complete.
    Verification 96% complete.
    Verification 96% complete.
    Verification 97% complete.
    Verification 98% complete.
    Verification 98% complete.
    Verification 99% complete.
    Verification 99% complete.
    Verification 100% complete.


    Windows Resource Protection found corrupt files and successfully repaired them.

    For online repairs, details are included in the CBS log file located at

    windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline

    repairs, details are included in the log file provided by the /OFFLOGFILE flag.



    ========= End of CMD: =========


    ========= DISM /Online /Cleanup-Image /CheckHealth =========


    Deployment Image Servicing and Management tool
    Version: 10.0.19041.3636

    Image Version: 10.0.19045.5737

    No component store corruption detected.
    The operation completed successfully.


    ========= End of CMD: =========



    The system needed a reboot.

    ==== End of Fixlog 11:30:11 ====
     

    Attached Files:

    amateur09, Apr 29, 2025
    #8
  9. Oh My!

    Oh My! Malware Expert Staff Member

    This is our next step.

    ===================================================

    Farbar Recovery Scan Tool Fix

    --------------------
    • Right click on the FRST64 icon and select Run as administrator
    • Highlight the below information then hit the Ctrl + C keys at the same time and the text will be copied
    • There is no need to paste the information anywhere, FRST64 will do it for you
    Code:
    Start::
CreateRestorePoint:
CloseProcesses:
C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071
C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a
C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013
C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036
C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06
C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92
DeleteValue: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\fd282f9f_0|""
DeleteValue: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\QuietHours|FullScreenProcess
DeleteValue: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..tion_25b0fbb6ef7eb094_0018.0003_a8cca8cbb9318336\ScreenConnect.ClientService.exe
DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\ScreenConnect
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ScreenConnect_RASAPI32
DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ScreenConnect_RASMANCS
DeleteKey: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92
DeleteKey: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06
DeleteKey: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013
DeleteKey: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a
DeleteKey: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_907544628ed0271e
DeleteKey: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_a8cca8cbb9318336
DeleteKey: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071
End::
    • Click Fix
    • When completed the tool will create a log on the desktop called Fixlog.txt. Please copy and paste the contents of the file in your reply.
    ===================================================

    Things I would like to see in your next reply. Please be sure to copy and paste any requested log information unless you are asked to attach it.
    • Fixlog
     
    Oh My!, Apr 29, 2025
    #9
  10. amateur09

    amateur09 Private E-2

    Fix result of Farbar Recovery Scan Tool (x64) Version: 27-04-2025
    Ran by tcaun (29-04-2025 18:49:03) Run:2
    Running from C:\Users\tcaun\Desktop
    Loaded Profiles: tcaun
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    Start::
    CreateRestorePoint:
    CloseProcesses:
    C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071
    C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a
    C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013
    C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036
    C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06
    C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92
    DeleteValue: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\fd282f9f_0|""
    DeleteValue: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\QuietHours|FullScreenProcess
    DeleteValue: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store|C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..tion_25b0fbb6ef7eb094_0018.0003_a8cca8cbb9318336\ScreenConnect.ClientService.exe
    DeleteKey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\ScreenConnect
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ScreenConnect_RASAPI32
    DeleteKey: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ScreenConnect_RASMANCS
    DeleteKey: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92
    DeleteKey: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06
    DeleteKey: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013
    DeleteKey: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a
    DeleteKey: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_907544628ed0271e
    DeleteKey: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_a8cca8cbb9318336
    DeleteKey: HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071
    End::
    *****************

    Restore point was successfully created.
    Processes closed successfully.

    "C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071" Folder move:

    C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071 => moved successfully

    "C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a" Folder move:

    C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a => moved successfully

    "C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013" Folder move:

    C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013 => moved successfully

    "C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036" Folder move:

    C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..dows_4b14c015c87c1ad8_0018.0003_none_57acc9dd3adfc036 => moved successfully

    "C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06" Folder move:

    C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06 => moved successfully

    "C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92" Folder move:

    C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92 => moved successfully
    "HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\fd282f9f_0\\" => removed successfully
    "HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\QuietHours\\FullScreenProcess" => removed successfully
    "HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\\C:\Users\tcaun\AppData\Local\Apps\2.0\DEW8JEAD.T3W\KMCWV7WP.AQO\scre..tion_25b0fbb6ef7eb094_0018.0003_a8cca8cbb9318336\ScreenConnect.ClientService.exe" => removed successfully
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\ScreenConnect => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ScreenConnect_RASAPI32 => removed successfully
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ScreenConnect_RASMANCS => removed successfully
    HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre...exe_25b0fbb6ef7eb094_0018.0003_none_97cb907042c6ab92 => removed successfully
    HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..core_4b14c015c87c1ad8_0018.0003_none_5334f1fbfe91ad06 => removed successfully
    HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_b47bcb1fe7759013 => removed successfully
    HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..ient_4b14c015c87c1ad8_0018.0003_none_e94a4fce0de1030a => removed successfully
    HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_907544628ed0271e => removed successfully
    HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..tion_25b0fbb6ef7eb094_0018.0003_a8cca8cbb9318336 => removed successfully
    HKEY_USERS\S-1-5-21-4116640397-3324897568-117220919-1001\SOFTWARE\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components\scre..vice_4b14c015c87c1ad8_0018.0003_none_04888a4494511071 => removed successfully


    The system needed a reboot.

    ==== End of Fixlog 18:49:11 ====
     
    amateur09, Apr 29, 2025
    #10
  11. Oh My!

    Oh My! Malware Expert Staff Member

    That looks good.

    The program has been completely removed. Are you having any issues?
     
    Oh My!, Apr 29, 2025
    #11
  12. amateur09

    amateur09 Private E-2

    Everything seems fine. Thanks so much--you folks are awesome. Any special suggestions to avoid this happening again?
     
    amateur09, Apr 29, 2025
    #12
  13. Oh My!

    Oh My! Malware Expert Staff Member

    It is our pleasure, thank you for your kind words.

    If this was the result of a scam making sure your sister doesn't fall victim to it again is the most important step. If it wasn't scam related I am not sure how it ended up on the system. Of course this is assuming the issue was related to ScreenConnect. It is possible this was the result of a data breach not directly connected with the computer.

    Here is our final step and some additional information to consider.

    ===================================================

    KpRm by Kernel-panik

    --------------
    • Download KpRm and save it to your Desktop (see here if you must use Chrome)
    • Note: If the file is detected as malware it is not and it is safe to download. The detection is a false positive.
    • Right click on the icon and select Run as administrator
    • Click Yes on the Disclaimer
    • Place a check mark in Delete Tools, Create Restore Point, and Delete in 7 days
    • Click Run
    • Click OK on All operations are completed
    • KpRm will delete itself from you Desktop and you can either save or remove the report that is generated
    • You are free to remove any other tools/reports still remaining
    ===================================================

    All Clean!

    --------------

    Your computer is now clean. Please consider this going forward.

    ===================================================

    Please take the time to read below on how to secure the machine and take the necessary steps to keep it clean.

    Thank you for placing your trust in Major Geeks. It was a pleasure serving you.
     
    Oh My!, Apr 29, 2025
    #13
    TimW and xrobwx71 like this.
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Also: from Chaslang:

    There are many vehicles by which people get infected. Downloading and clicking on adverstisments are only two possible ways. Others include but are not limited to

    * NOT KEEPING ALL SOFTWARE UPDATED!!!
    * surfing - usually certain websites are the main problem
    * click links to view pictures or videos, or listen to music....etc
    * not reading what you are clicking on and even if you do it may be worded in a form to trick you into clicking the wrong answer. Sometimes the answer is the opposite of what you think. And sometimes there is no correct answer because it is already too late one the popup has appeared..
    * installing codecs to view videos or sound
    * installing cracks and or illegal software
    * downloading via P2P or Torrent programs
    * downloading from websites that do no check their downloads to see if they are safe and very few actually do this even though they say they do. (We do at Major Geeks!)
    * reading emails from unknown senders especially if you have html enabled and also especially if clicking on any attachments
    * reading emails from friends who don't know they are infected and may not even know they are sending you emails.

    I know that many people like to say that they don't understand how they are getting infected, but the fact remains that in most cases it is by their own doing. I surf more than most people and access all kinds of websites while trying to test various malware. I have to eliminate all of my protection (even my router which has a hardware firewall) and I still have a hard time getting infected and I have to knowingly agree to install things to get infected.

    General Tips for everyone (not just you )

    * If you do not have a router or do not have a router with a hardware firewall, then get one.
    * If you are not using a real bidirectional firewall then install one and only one. The Windows (any version) firewall is not adequate.
    * Install one and only one antivirus program.
    * Install one and only one realtime antispyware protection program
    * Install the below for background protection
    o SpywareBlaster
    o Spybot with SDHelper and use the Immunization feature
    * Do period scans with you AV and AS programs?
    * Use additional scan only programs like SUPERAntiSpyware and Malwarebytes.
     
    TimW, Apr 30, 2025
    #14
    xrobwx71 likes this.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds